[libnftnl PATCH] examples: add nft-ruleset-replace

[libnftnl PATCH] examples: add nft-ruleset-replace

[Arturo Borrero Gonzalez]

This code examples uses the new NFT_MSG_DELTABLE functionality to replace
an entire ruleset in a single transaction/batch.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
 examples/Makefile.am           |    4 +
 examples/nft-ruleset-replace.c |  203 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 207 insertions(+)
 create mode 100644 examples/nft-ruleset-replace.c

diff --git a/examples/Makefile.am b/examples/Makefile.am
index 69f5c7f..1fbeff9 100644
--- a/examples/Makefile.am
+++ b/examples/Makefile.am
@@ -23,6 +23,7 @@ check_PROGRAMS = nft-table-add		\
 		 nft-set-elem-get	\
 		 nft-set-elem-del	\
 		 nft-ruleset-get	\
+		 nft-ruleset-replace	\
 		 nft-compat-get
 
 nft_table_add_SOURCES = nft-table-add.c
@@ -94,5 +95,8 @@ nft_set_elem_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
 nft_ruleset_get_SOURCES = nft-ruleset-get.c
 nft_ruleset_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
 
+nft_ruleset_replace_SOURCES = nft-ruleset-replace.c
+nft_ruleset_replace_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
+
 nft_compat_get_SOURCES = nft-compat-get.c
 nft_compat_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
diff --git a/examples/nft-ruleset-replace.c b/examples/nft-ruleset-replace.c
new file mode 100644
index 0000000..8b7babd
--- /dev/null
+++ b/examples/nft-ruleset-replace.c
@@ -0,0 +1,203 @@
+/*
+ * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This software has been sponsored by Sophos Astaro <http://www.sophos.com>
+ */
+
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include <stddef.h>	/* for offsetof */
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+#include <arpa/inet.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <errno.h>
+
+#include <linux/netfilter.h>
+#include <linux/netfilter/nfnetlink.h>
+#include <linux/netfilter/nf_tables.h>
+
+#include <libmnl/libmnl.h>
+#include <libnftnl/ruleset.h>
+#include <libnftnl/table.h>
+#include <libnftnl/chain.h>
+#include <libnftnl/rule.h>
+#include <libnftnl/expr.h>
+
+static void add_counter(struct nft_rule *r)
+{
+	struct nft_rule_expr *e;
+
+	e = nft_rule_expr_alloc("counter");
+	if (e == NULL) {
+		perror("expr counter oom");
+		exit(EXIT_FAILURE);
+	}
+
+	nft_rule_add_expr(r, e);
+}
+
+static struct nft_rule *setup_rule(uint8_t family, const char *table,
+				   const char *chain)
+{
+	struct nft_rule *r = NULL;
+
+	r = nft_rule_alloc();
+	if (r == NULL) {
+		perror("OOM");
+		exit(EXIT_FAILURE);
+	}
+
+	nft_rule_attr_set(r, NFT_RULE_ATTR_TABLE, table);
+	nft_rule_attr_set(r, NFT_RULE_ATTR_CHAIN, chain);
+	nft_rule_attr_set_u32(r, NFT_RULE_ATTR_FAMILY, family);
+
+	add_counter(r);
+
+	return r;
+}
+
+static struct nft_table *setup_table(uint8_t family, const char *name)
+{
+	struct nft_table *t;
+
+	t = nft_table_alloc();
+	if (t == NULL) {
+		perror("OOM");
+		exit(EXIT_FAILURE);
+	}
+
+	if (name != NULL)
+		nft_table_attr_set_str(t, NFT_TABLE_ATTR_NAME, name);
+
+	nft_table_attr_set_u32(t, NFT_TABLE_ATTR_FAMILY, family);
+
+	return t;
+}
+
+static struct nft_chain *setup_chain(uint8_t family, const char *table,
+				     const char *name)
+{
+	struct nft_chain *c;
+
+	c = nft_chain_alloc();
+	if (c == NULL) {
+		perror("OOM");
+		exit(EXIT_FAILURE);
+	}
+
+	nft_chain_attr_set_str(c, NFT_CHAIN_ATTR_TABLE, table);
+	nft_chain_attr_set_str(c, NFT_CHAIN_ATTR_NAME, name);
+	nft_chain_attr_set_u32(c, NFT_CHAIN_ATTR_FAMILY, family);
+
+	return c;
+}
+
+int main(int argc, char *argv[])
+{
+	struct mnl_socket *nl;
+	struct nft_table *t;
+	struct nft_chain *c;
+	struct nft_rule *r;
+	struct nlmsghdr *nlh;
+	struct mnl_nlmsg_batch *batch;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	uint32_t seq = time(NULL), wipe_seq;
+	int ret, i;
+	uint32_t families[4] = { NFPROTO_IPV4,
+				 NFPROTO_IPV6,
+				 NFPROTO_ARP,
+				 NFPROTO_BRIDGE };
+
+	if (!nft_batch_is_supported()) {
+		fprintf(stderr, "This code example requires a newer kernel.\n");
+		exit(EXIT_FAILURE);
+	}
+
+	nl = mnl_socket_open(NETLINK_NETFILTER);
+	if (nl == NULL) {
+		perror("mnl_socket_open");
+		exit(EXIT_FAILURE);
+	}
+
+	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
+		perror("mnl_socket_bind");
+		exit(EXIT_FAILURE);
+	}
+
+	batch = mnl_nlmsg_batch_start(buf, sizeof(buf));
+	nft_batch_begin(mnl_nlmsg_batch_current(batch), seq++);
+	mnl_nlmsg_batch_next(batch);
+
+	wipe_seq = seq++;
+	t = setup_table(NFPROTO_UNSPEC, NULL);
+	nlh = nft_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch),
+				  NFT_MSG_DELTABLE, NFPROTO_UNSPEC,
+				  NLM_F_ACK, wipe_seq);
+	nft_table_nlmsg_build_payload(nlh, t);
+	nft_table_free(t);
+	mnl_nlmsg_batch_next(batch);
+
+	for (i = 0; i < 4; i++) {
+		t = setup_table(families[i], "test_table");
+		nlh = nft_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch),
+				NFT_MSG_NEWTABLE, families[i],
+				NLM_F_APPEND|NLM_F_CREATE|NLM_F_ACK, seq++);
+		nft_table_nlmsg_build_payload(nlh, t);
+		nft_table_free(t);
+		mnl_nlmsg_batch_next(batch);
+
+		c = setup_chain(families[i], "test_table", "test_chain");
+		nlh = nft_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch),
+				NFT_MSG_NEWCHAIN, families[i],
+				NLM_F_APPEND|NLM_F_CREATE|NLM_F_ACK, seq++);
+		nft_chain_nlmsg_build_payload(nlh, c);
+		nft_chain_free(c);
+		mnl_nlmsg_batch_next(batch);
+
+		r = setup_rule(families[i], "test_table", "test_chain");
+		nlh = nft_rule_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch),
+				NFT_MSG_NEWRULE, families[i],
+				NLM_F_APPEND|NLM_F_CREATE|NLM_F_ACK, seq++);
+		nft_rule_nlmsg_build_payload(nlh, r);
+		nft_rule_free(r);
+		mnl_nlmsg_batch_next(batch);
+	}
+
+	nft_batch_end(mnl_nlmsg_batch_current(batch), seq++);
+	mnl_nlmsg_batch_next(batch);
+
+	ret = mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch),
+				mnl_nlmsg_batch_size(batch));
+	if (ret == -1) {
+		perror("mnl_socket_sendto");
+		exit(EXIT_FAILURE);
+	}
+
+	mnl_nlmsg_batch_stop(batch);
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	if (ret == -1) {
+		perror("mnl_socket_recvfrom");
+		exit(EXIT_FAILURE);
+	}
+
+	ret = mnl_cb_run(buf, ret, wipe_seq,
+			 mnl_socket_get_portid(nl), NULL, NULL);
+	if (ret < 0) {
+		perror("mnl_cb_run");
+		exit(EXIT_FAILURE);
+	}
+
+	mnl_socket_close(nl);
+
+	return EXIT_SUCCESS;
+}

nft option to flush out the existing ruleset [was Re: [libnftnl PATCH] examples: add nft-ruleset-replace]

[Pablo Neira Ayuso]

Renaming the subject to make it to start a new discussion on something
related. Cc'ing Patrick too, perhaps he can pull some better idea out
of his hat.

On Tue, Aug 26, 2014 at 11:57:16AM +0200, Arturo Borrero Gonzalez wrote:
> This code examples uses the new NFT_MSG_DELTABLE functionality to replace
> an entire ruleset in a single transaction/batch.

Thanks for the example but we already have quite a lot of them, and
this is yet another almost copy and paste that would need to be
maintained.

Please, implement this in nft. I think we can probably have an -x
option, eg.

nft -f -x ruleset-file

The '-x' indicates that you want to flush any previous existing
configuration before loading this 'ruleset-file'.

-xx could also be used to remove any configuration regarding the
existing families in the ruleset-file, ie. if the ruleset-file only
contains a configuration for 'ip', all remaining families are left
untouched.

Re: nft option to flush out the existing ruleset [was Re: [libnftnl PATCH] examples: add nft-ruleset-replace]

[Patrick McHardy]

On Tue, Aug 26, 2014 at 01:09:54PM +0200, Pablo Neira Ayuso wrote:
> Renaming the subject to make it to start a new discussion on something
> related. Cc'ing Patrick too, perhaps he can pull some better idea out
> of his hat.
> 
> On Tue, Aug 26, 2014 at 11:57:16AM +0200, Arturo Borrero Gonzalez wrote:
> > This code examples uses the new NFT_MSG_DELTABLE functionality to replace
> > an entire ruleset in a single transaction/batch.
> 
> Thanks for the example but we already have quite a lot of them, and
> this is yet another almost copy and paste that would need to be
> maintained.
> 
> Please, implement this in nft. I think we can probably have an -x
> option, eg.

Agreed. The naive aproach seems to be something like this:

- add a generation ID to the ruleset
- dump the entire ruleset
- generate delete commands for each existing rule/chain/set...
- generate add commands for each new rule/chain/set...
- send the entire thing to the kernel, including the generation ID
- if the generation ID doesn't match, meaning the ruleset has changed
  since the last dump, return an error to userspace, retry

Re: nft option to flush out the existing ruleset [was Re: [libnftnl PATCH] examples: add nft-ruleset-replace]

[Arturo Borrero Gonzalez]

On 26 August 2014 14:14, Patrick McHardy <kaber@trash.net> wrote:
> On Tue, Aug 26, 2014 at 01:09:54PM +0200, Pablo Neira Ayuso wrote:
>> Renaming the subject to make it to start a new discussion on something
>> related. Cc'ing Patrick too, perhaps he can pull some better idea out
>> of his hat.
>>
>> On Tue, Aug 26, 2014 at 11:57:16AM +0200, Arturo Borrero Gonzalez wrote:
>> > This code examples uses the new NFT_MSG_DELTABLE functionality to replace
>> > an entire ruleset in a single transaction/batch.
>>
>> Thanks for the example but we already have quite a lot of them, and
>> this is yet another almost copy and paste that would need to be
>> maintained.
>>
>> Please, implement this in nft. I think we can probably have an -x
>> option, eg.
>
> Agreed. The naive aproach seems to be something like this:
>
> - add a generation ID to the ruleset
> - dump the entire ruleset
> - generate delete commands for each existing rule/chain/set...
> - generate add commands for each new rule/chain/set...
> - send the entire thing to the kernel, including the generation ID
> - if the generation ID doesn't match, meaning the ruleset has changed
>   since the last dump, return an error to userspace, retry

The approach in my patchset is different:

- generate a delete command that will flush all the previous ruleset
- generate add commands for each new rule/chain/set/tables
- send the batch to the kernel

In this approach, we don't care about what is in the kernel previous
to the delete command.

-- 
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: nft option to flush out the existing ruleset [was Re: [libnftnl PATCH] examples: add nft-ruleset-replace]

[Patrick McHardy]

On 26. August 2014 14:12:57 GMT+01:00, Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> wrote:
>On 26 August 2014 14:14, Patrick McHardy <kaber@trash.net> wrote:
>> On Tue, Aug 26, 2014 at 01:09:54PM +0200, Pablo Neira Ayuso wrote:
>>> Renaming the subject to make it to start a new discussion on
>something
>>> related. Cc'ing Patrick too, perhaps he can pull some better idea
>out
>>> of his hat.
>>>
>>> On Tue, Aug 26, 2014 at 11:57:16AM +0200, Arturo Borrero Gonzalez
>wrote:
>>> > This code examples uses the new NFT_MSG_DELTABLE functionality to
>replace
>>> > an entire ruleset in a single transaction/batch.
>>>
>>> Thanks for the example but we already have quite a lot of them, and
>>> this is yet another almost copy and paste that would need to be
>>> maintained.
>>>
>>> Please, implement this in nft. I think we can probably have an -x
>>> option, eg.
>>
>> Agreed. The naive aproach seems to be something like this:
>>
>> - add a generation ID to the ruleset
>> - dump the entire ruleset
>> - generate delete commands for each existing rule/chain/set...
>> - generate add commands for each new rule/chain/set...
>> - send the entire thing to the kernel, including the generation ID
>> - if the generation ID doesn't match, meaning the ruleset has changed
>>   since the last dump, return an error to userspace, retry
>
>The approach in my patchset is different:
>
>- generate a delete command that will flush all the previous ruleset
>- generate add commands for each new rule/chain/set/tables
>- send the batch to the kernel
>
>In this approach, we don't care about what is in the kernel previous
>to the delete command.

Sure, but as Pablo pointed out, it adds more code that needs to be maintained that isn't strictly neccessary.

Re: nft option to flush out the existing ruleset [was Re: [libnftnl PATCH] examples: add nft-ruleset-replace]

[Pablo Neira Ayuso]

On Tue, Aug 26, 2014 at 03:12:57PM +0200, Arturo Borrero Gonzalez wrote:
> On 26 August 2014 14:14, Patrick McHardy <kaber@trash.net> wrote:
> > On Tue, Aug 26, 2014 at 01:09:54PM +0200, Pablo Neira Ayuso wrote:
> >> Renaming the subject to make it to start a new discussion on something
> >> related. Cc'ing Patrick too, perhaps he can pull some better idea out
> >> of his hat.
> >>
> >> On Tue, Aug 26, 2014 at 11:57:16AM +0200, Arturo Borrero Gonzalez wrote:
> >> > This code examples uses the new NFT_MSG_DELTABLE functionality to replace
> >> > an entire ruleset in a single transaction/batch.
> >>
> >> Thanks for the example but we already have quite a lot of them, and
> >> this is yet another almost copy and paste that would need to be
> >> maintained.
> >>
> >> Please, implement this in nft. I think we can probably have an -x
> >> option, eg.
> >
> > Agreed. The naive aproach seems to be something like this:
> >
> > - add a generation ID to the ruleset
> > - dump the entire ruleset
> > - generate delete commands for each existing rule/chain/set...
> > - generate add commands for each new rule/chain/set...
> > - send the entire thing to the kernel, including the generation ID
> > - if the generation ID doesn't match, meaning the ruleset has changed
> >   since the last dump, return an error to userspace, retry
> 
> The approach in my patchset is different:
> 
> - generate a delete command that will flush all the previous ruleset
> - generate add commands for each new rule/chain/set/tables
> - send the batch to the kernel

We're still going to require the generation ID anyway to catch
interferences between rule updates and rule dumping. My plan is to
make a patch to include this in the nfgenmsg->res_id when dumping the
objects to userspace. The NLM_F_DUMP_INTR is partially solving the
problem for us, but we really need that generation ID to catch changes
between two object dumps.

Anyway I think both approaches are compatible. The one Arturo is
working should be faster if the kernel supports the flusing from the
nfnl mutex. I think nft should make it the way Patrick proposes if the
kernel doesn't support this command (ie. if it hits -EBUSY when trying
to flush a table).

Re: nft option to flush out the existing ruleset [was Re: [libnftnl PATCH] examples: add nft-ruleset-replace]

[Pablo Neira Ayuso]

On Tue, Aug 26, 2014 at 02:30:30PM +0100, Patrick McHardy wrote:
> On 26. August 2014 14:12:57 GMT+01:00, Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> wrote:
> >On 26 August 2014 14:14, Patrick McHardy <kaber@trash.net> wrote:
> >> On Tue, Aug 26, 2014 at 01:09:54PM +0200, Pablo Neira Ayuso wrote:
> >>> Renaming the subject to make it to start a new discussion on
> >something
> >>> related. Cc'ing Patrick too, perhaps he can pull some better idea
> >out
> >>> of his hat.
> >>>
> >>> On Tue, Aug 26, 2014 at 11:57:16AM +0200, Arturo Borrero Gonzalez
> >wrote:
> >>> > This code examples uses the new NFT_MSG_DELTABLE functionality to
> >replace
> >>> > an entire ruleset in a single transaction/batch.
> >>>
> >>> Thanks for the example but we already have quite a lot of them, and
> >>> this is yet another almost copy and paste that would need to be
> >>> maintained.
> >>>
> >>> Please, implement this in nft. I think we can probably have an -x
> >>> option, eg.
> >>
> >> Agreed. The naive aproach seems to be something like this:
> >>
> >> - add a generation ID to the ruleset
> >> - dump the entire ruleset
> >> - generate delete commands for each existing rule/chain/set...
> >> - generate add commands for each new rule/chain/set...
> >> - send the entire thing to the kernel, including the generation ID
> >> - if the generation ID doesn't match, meaning the ruleset has changed
> >>   since the last dump, return an error to userspace, retry
> >
> >The approach in my patchset is different:
> >
> >- generate a delete command that will flush all the previous ruleset
> >- generate add commands for each new rule/chain/set/tables
> >- send the batch to the kernel
> >
> >In this approach, we don't care about what is in the kernel previous
> >to the delete command.
> 
> Sure, but as Pablo pointed out, it adds more code that needs to be maintained that isn't strictly neccessary.

Oh, I probably didn't explain well myself. I'd like to see Arturo's
shortcut using _DELTABLE unless you have any concern with them :-).

We still need that generation ID indeed to catch interferences between
two object dumps, I'll send you a patch proposal for this soon.

Re: nft option to flush out the existing ruleset [was Re: [libnftnl PATCH] examples: add nft-ruleset-replace]

[Patrick McHardy]

On Tue, Aug 26, 2014 at 03:47:06PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Aug 26, 2014 at 02:30:30PM +0100, Patrick McHardy wrote:
> > >> - add a generation ID to the ruleset
> > >> - dump the entire ruleset
> > >> - generate delete commands for each existing rule/chain/set...
> > >> - generate add commands for each new rule/chain/set...
> > >> - send the entire thing to the kernel, including the generation ID
> > >> - if the generation ID doesn't match, meaning the ruleset has changed
> > >>   since the last dump, return an error to userspace, retry
> > >
> > >The approach in my patchset is different:
> > >
> > >- generate a delete command that will flush all the previous ruleset
> > >- generate add commands for each new rule/chain/set/tables
> > >- send the batch to the kernel
> > >
> > >In this approach, we don't care about what is in the kernel previous
> > >to the delete command.
> > 
> > Sure, but as Pablo pointed out, it adds more code that needs to be maintained that isn't strictly neccessary.
> 
> Oh, I probably didn't explain well myself. I'd like to see Arturo's
> shortcut using _DELTABLE unless you have any concern with them :-).

No concerns, was just trying to support your arguments :) Either way seems
reasonable to me.

> We still need that generation ID indeed to catch interferences between
> two object dumps, I'll send you a patch proposal for this soon.

Yep, we also need this for set transactions. I suppose we need generation
IDs for each individual object type as well as AF-specific ones which
change for any object change (table level doesn't work because sets are
per AF).

Re: nft option to flush out the existing ruleset [was Re: [libnftnl PATCH] examples: add nft-ruleset-replace]

[Arturo Borrero Gonzalez]

On 26 August 2014 13:09, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Please, implement this in nft. I think we can probably have an -x
> option, eg.
>
> nft -f -x ruleset-file
>
> The '-x' indicates that you want to flush any previous existing
> configuration before loading this 'ruleset-file'.
>
> -xx could also be used to remove any configuration regarding the
> existing families in the ruleset-file, ie. if the ruleset-file only
> contains a configuration for 'ip', all remaining families are left
> untouched.
>

Hi Pablo, Patrick.

I've looked into how to implement this '-x' option.

I wonder if it worth having better a "formal" command, like
 % nft flush ruleset
 % nft flush ruleset ip
 % nft flush ruleset ip6
 % nft flush ruleset arp
 [...]

This way, a user loading a new ruleset with -f can just put a first
line like this:

=========
nft flush ruleset
nft add table ip filter
nft add chain ip filter input
nft add rule ip filter input counter
nft add table ip6 filter
nft add chain ip6 filter input
[...]
=========

Or flush per family, as Pablo suggested:

=========
nft flush ruleset inet
nft add table inet filter
[...]
=========

Some benefits of this approach is that we have a concrete order to
flush the ruleset, in the case the user wants no ruleset.
The lack of this shortcut seem an actual concern of some users.

-- 
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: nft option to flush out the existing ruleset [was Re: [libnftnl PATCH] examples: add nft-ruleset-replace]

[Patrick McHardy]

On Mon, Sep 01, 2014 at 05:07:23PM +0200, Arturo Borrero Gonzalez wrote:
> On 26 August 2014 13:09, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > Please, implement this in nft. I think we can probably have an -x
> > option, eg.
> >
> > nft -f -x ruleset-file
> >
> > The '-x' indicates that you want to flush any previous existing
> > configuration before loading this 'ruleset-file'.
> >
> > -xx could also be used to remove any configuration regarding the
> > existing families in the ruleset-file, ie. if the ruleset-file only
> > contains a configuration for 'ip', all remaining families are left
> > untouched.
> >
> 
> Hi Pablo, Patrick.
> 
> I've looked into how to implement this '-x' option.
> 
> I wonder if it worth having better a "formal" command, like
>  % nft flush ruleset
>  % nft flush ruleset ip
>  % nft flush ruleset ip6
>  % nft flush ruleset arp
>  [...]
> 
> This way, a user loading a new ruleset with -f can just put a first
> line like this:
> 
> =========
> nft flush ruleset
> nft add table ip filter
> nft add chain ip filter input
> nft add rule ip filter input counter
> nft add table ip6 filter
> nft add chain ip6 filter input
> [...]
> =========
> 
> Or flush per family, as Pablo suggested:
> 
> =========
> nft flush ruleset inet
> nft add table inet filter
> [...]
> =========
> 
> Some benefits of this approach is that we have a concrete order to
> flush the ruleset, in the case the user wants no ruleset.
> The lack of this shortcut seem an actual concern of some users.

I agree, this sounds better than a command line option.